[MASWE-0013] Hardcoded Cryptographic Keys in Use

[cpholguera]

Description

Create a new weakness for "Hardcoded Cryptographic Keys in Use (MASVS-CRYPTO-2)" using the following information:

One thing is to include hardcoded keys in the code, another is to use them.

Update https://github.com/OWASP/owasp-mastg/blob/master/weaknesses/MASVS-CRYPTO/MASWE-0013.md including the following content:

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests. Use other MASWE items in status: new for reference. For example: MASWE-0027

Use at least the following references:

• https://developer.android.com/topic/security/risks/hardcoded-cryptographic-secrets

When creating the corresponding tests, use the following areas to guide you:

• hardcoded keys used at runtime

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

• MASTG-TEST-0062 - Testing Key Management (ios)
• MASTG-TEST-0013 - Testing Symmetric Cryptography (android)

[ScreaMy7]

I can work on this. Please assign this to me.

[ScreaMy7]

Hi @cpholguera, Can you explain a bit more about test-cases derived from this risk and what the term "hardcoded keys used at runtime" means here? We came up with two possible conclusions here, first could be the detection of API tokens and secrets hardcoded in the code and the second conclusion could be the detection of keys of the cryptographic algorithm. Thanks,

[cpholguera]

@ScreaMy7 This comes from the original requirement MASVS 3.1 (MSTG-CRYPTO-1): "The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption."

The fact that "sensitive data is hardcoded in the app package" should be covered by https://github.com/OWASP/owasp-mastg/issues/2543 (which will include crypto keys, API keys and more).

This risk here is about the "use of Cryptographic Keys" specifically.

The tests should be pretty straightforward using as a base the existing MASTG v1 tests linked above. For example, the Android illustrates this case: https://mas.owasp.org/MASTG/tests/android/MASVS-CRYPTO/MASTG-TEST-0013/

So basically the work to be done here is:

• Create a risk (generic about the risk)
• Create a test for Android (mentioning specific Android crypto APIs)
  • Create one example for the static test
  • Create one example for the dynamic test
• Create a test for iOS (mentioning specific iOS crypto APIs)
  • Create one example for the static test
  • Create one example for the dynamic test

Here are 2 existing risks including static and dynamic tests which you can use as a reference:

• Static / semgrep: risks/MASVS-CRYPTO/1-strong-crypto/insecure-random/
• Dynamic / frida-trace: risks/MASVS-STORAGE/2-prevent-data-leakage/data-in-logs

Guidelines: https://docs.google.com/document/d/1EMsVdfrDBAu0gmjWAUEs60q-fWaOmDB5oecY9d9pOlg/edit?usp=sharing